Jan 31, 2012

Network Security Projects Using Honeypots

Honeypots are closely monitored decoys that are employed in a network to study the trail of hackers and to alert network administrators of a possible intrusion. Using honeypots provides a cost-effective solution to increase the security posture of an organization. Even though it is not a solution for security breaches, it is useful as a tool for network forensics and intrusion detection. Nowadays, they are also being extensively used by the research community to study issues in network security, such as Internet worms, spam control, DoS attacks and many more.

According to Bruce Schneier in Digital Security in a Networked World book, “Security is a process, not a product.” This famous quote is well echoed by the phenomenon that, although there exist umpteen numbers of security tools that are available today (either as commercial or open-source solutions), none of these tools can single-handedly address all of the security goals of an organization. The security professionals are thus looking for more advanced tools which are effective in detecting and recovering from security breaches. In order to monitor the activities of hackers, the methodology adopted is to deceive, by giving them some emulated set of services on a system which appears to be legitimate. The hackers’ activities are then logged and monitored to gain insight into their employed tactics. This idea is adopted in honeypots, a system whose value lies in being probed, attacked and/or compromised.

Honeypots have received a lot of attention lately from the research community , owing to its use in capturing and logging suspicious networking activities. Apart from its use as a research tool, it has also been deployed in educational institutions as a study tool. For example, the Honeynet Project at Georgia Tech has been used in network security classes in order to teach students how to use tools such as ethereal and tcpdump in order to analyze attack traffic. However, the problem with deploying such a honeypot inside a campus network is twofold. First, the installation of honeypot is quite risky and must be carried out with utmost precision and care, so that the campus network is not intruded. Secondly, legal and ethical issues (such as the Wiretap Act 18 U.S.C. 2511) must be taken care of before such a network is deployed.

Honeypots are generally divided into two categories: production honeypots and research honeypots. Production honeypots add value to the security of a specific organization and help mitigate risks, and are typically implemented within an organization as they help in detecting attacks. Production honeypots are easier to build and deploy, because they require less functionality. They give less information about the attackers than research honeypots. Research honeypots are designed to gain information about the blackhat community. The primary goal is to analyze the hackers’ footprints, such as the identity of the attackers, their modus operandi, and the kind of tools they use to attack other systems.

Based on their level of interaction, honeypots are classified into three categories: low interaction, medium interaction and high interaction honeypots. Low interaction honeypots are primarily production honeypots that are used to help protect a specific organization . A low interaction honeypot is easy to install and it emulates very few services. Attackers can only scan and connect to several ports. The information about the attackers and the risk is limited since the attacker’s ability to interact with the honeypot is limited.

An example of low interaction honeypots is "Honeyd" . Honeyd is a small daemon that creates virtual hosts on a network. The hosts can be configured to run arbitrary services, and their personality can be adapted so that they appear to be running certain operating systems. Honeyd works on the principle that when it receives a probe or connection for a system that does not exist, it assumes that the connection attempt is an attack. When honeyd receives such traffic, it logs the IP address of the destination. It then starts the emulated service for the port on which it receives the connection. Once the emulated service is started, it interacts with the attacker and captures all of his activities. The emulated service exits as soon as the attacker disconnects. This process is repeated each time honeyd receives attacks.In Honeyd, a virtual honeypot is configured with a template created in the Honeyd configuration file (honeyd.conf) that defines the characteristics of a honeypot, including operating system type, the ports it listens on, and the behavior of emulated services. Each template is given a name. New templates are created using create command. The set command assigns a personality from Nmap fingerprinting file to the template. The personality determines the network behavior of the given operating system that is simulated by Honeyd. The set command also defines the default behavior for network protocols: block, reset or open. Block indicates that all packets for the specified protocol are dropped by default. Reset means that ports are closed by default. Open means that all ports are open by default. The add command is used to specify the services that are remotely accessible.

High interaction honeypots give vast amount of information about the attackers, but they are extremely time-consuming to build and maintain, and they come with highest level of risk . The primary goal of high interaction honeypot is to give the attacker access to a real operating system in which nothing is emulated or restricted. This provides more information about attackers. These types of honeypots are placed within a controlled environment such as behind a firewall. Because of the control mechanisms, high interaction honeypots can be difficult and time-consuming to install and configure. An example of high interaction honeypots is ‘Honeynet’. What makes a Honeynet different from most honeypots is that it is an entire network of systems. Instead of a single computer, a Honeynet is a network of systems designed for attackers to interact with. The honeypots within the Honeynet can be any type of system, service, or information.

Medium interaction honeypots offer attackers more ability to interact than low interaction honeypots but less functionality than high interaction honeypots . This type of honeypots are designed to give certain predefined responses for expected activities, and provide more information about the attacker than a low interaction honeypot.

Honeypots can be a good tool and can be used as a prototype for computer security lab and design of network security projects. The design of lab exercises for a network security lab is a challenging issue, and researcher need to design a good framework for such projects. The framework describes the issues that must be considered at the time of designing projects for computer or network security labs, and may be considered as a starting point by computer science educators wishing to design computer security projects. Honeypots can be a good tool for students to learn about Networking Security and the blackhat community. The virtual Honeynet was initially closed to the Internet due to concerns of ethical and legal issues, but was eventually open to the Internet world, in order to collect research data about the blackhat community. The collected data and their subsequent analysis helped us to protect our network from attackers.